Secret app's loophole points to difficulty of blending anonymity with social media

If you think you've finally found a place to share your secrets anonymously — and nobody would ever know, well, think again.

If you think you've finally found a place to share your secrets anonymously — and nobody would ever know you are the person who said, "I wanted a kitten. My husband is allergic. I secretly drug him with antihistamines every morning" — well, think again.

The chief executive of Secret, the anonymous-sharing app that has attracted many nameless confessors, has confirmed the app's vulnerability and that anonymity is not guaranteed.

"The thing we try to help people acknowledge is that anonymous doesn't mean untraceable," David Byttow, chief executive and co-founder of Secret, told Wired in a recent interview. "We do not say that you will be completely safe at all times and be completely anonymous."

Here is how Secret works: Set up your account with your phone number, email address or Facebook account, and Secret will connect you to your friends who are using the app. You can see and comment on secrets posted by your friends, and friends of friends, thanks to Secret's algorithm that tracks your contacts. You can also share your secrets — "all anonymously," Secret promised.

But "white-hat hackers" (those who consider themselves ethical) Benjamin Caudill and Bryan Seely were able to identify the names of people behind the supposedly anonymous posts on Secret by using personal email addresses. They were also able to see what Byttow posted on Secret: "Is Lucy the cutest dog?"

The idea behind the hack was simple, despite the arduous process.

On a Secret feed, you can only see posts from your friends, or from friends of friends, because Secret gets information from your contact lists. But what if you delete your contacts, create dummy Secret accounts (the app doesn't require you to verify your e-mail address or phone number), and add someone's real e-mail address to that list?

"We were able to manipulate the process of adding friends to the app and replace real 'friends' with dummy accounts we created, causing the application to believe we have a large group of friends and that any one friend's secret would be anonymous," Caudill said in an email to The Washington Post. "In actuality, only one real person was added — the victim — so any secrets from friends would be identified as theirs."

Secret only needs you to have seven contacts to see your friends' posts. Caudill created a pool of 50 accounts for his experiments. Although the result was surprising to Caudill, he said these sorts of flaws are common for mobile applications, especially for start-ups.

"Between the high-level design and implementation of code, attackers have a lot of possible attack vectors, and developers need to cover them all," Caudill said. "Secret actually has pretty good security in many areas, but the deck is stacked against companies today. It's hard for them to cover all possible vulnerabilities without a lot of specialized help."

It is routine for companies such as Secret to make advancements as hackers disclose vulnerabilities through a bug count that the company instituted six months ago. The Secret team has closed 42 security holes identified by more than 30 white-hat hackers.

Secret is just one of the many popular anonymity and privacy apps for mobiles devices that allow people to communicate in a safer, more secure environment, Caudill said. But for many of these companies, the technical controls don't match the marketing. For example, Snapchat, the popular photo-sharing app, settled with the Federal Trade Commission and accepted 20 years of monitoring by FTC regulators over charges that it deceived users. What the company promised users — that photos shared with friends will disappear once they are seen — isn't always true.

Secret did not immediately respond to a request for comment.

There are dozens of similar apps that allow users to share their words while remaining anonymous. Although he likes the concept, Caudill said, he is not convinced that there is a business melding social media and the desire for anonymity.

"Social media requires connections and the encouragement for users to interact with people they personally know," he said. "Adding anonymity into the mix requires some compromising on one side or the other."

What people are posting on Secret are more often embarrassments rather than serious confessions, but many people still don't want them getting out.

"Keep in mind what could go wrong if there was no anonymity and your communication was open," Caudill said.